FACT SHEET NELSON & ASSOCIATES TH 3131 EAST 29 STREET, SUITE E, BRYAN, TEXAS 77802 979/774-7755 [email protected] FAX: 979/774-0559 CORE PRINCIPLES OF SAFETY ENGINEERING AND THE CARDINAL RULES OF HAZARD CONTROL Safety engineering, like any applied science, is The Accident Process based upon fundamental principles and rules of practice. Safety engineering involves the (a) Effective safety engineering and safety identification, (b) evaluation, and (c) control of management must also take into account what has hazards in man-machine systems (products, come to be known as “the accident process.” This machines, equipment, or facilities) that contain a concept recognizes the fact that although personal potential to cause injury to people or damage to injury or system damage may take place at a property. moment in time, the foreseeable causative factors that ultimately produce such injury or damage are A REALISTIC VIEW OF THE TERM “ACCIDENT” typically set into motion, and could have been controlled or prevented, at an early stage in the Safety engineers recognize that accidents are system life cycle. typically dynamic events involving a combination of causative factors. The term “accident” means a That is, this concept recognizes that dynamic, multi-causal event that begins with the foreseeable causes of accidents are typically set activation of a pre-existing hazard which then into motion well in advance of the injury or flows through its host system in a logical sequence damage occurrence itself. A key element in the of events, factors, and circumstances to produce a accident process is the concept of cause final loss event (often including personal injury of “foreseeability.” A foreseeable cause is called a the system operator). “proximate cause.” IMPORTANT FOUNDATIONAL CONCEPTS Producing vs. Proximate Cause System Life Cycle According to the safety engineering literature (having its counterpart in law), a “producing The concept of “system life cycle” recognizes cause” means a cause which, in a natural and that every system (product, machine, facility, etc.) continuous sequence or chain of subsequent has a “life cycle” which begins in the (a) “concept producing causes, produces an event, and without or definition” stage before proceeding through the which the event (accident/injury) would not have successive stages of (b) system “design and occurred. development,” (c) “production, manufacture, construction, or fabrication,” followed by (d) Some producing causes of accidents, through system “distribution” before arriving at the (e) the use of reasonable and prudent methods of system “operation or deployment” stage, which prediction, can be reasonably foreseen or after a period of time, is inevitably followed by (f) anticipated before they actually produce an the “termination, retirement, recycle, or disposal” accident/injury event. Such a producing cause stage. may further be identified as a “proximate cause.” INDUSTRIAL SAFETY ENGINEERING PRODUCT SAFETY ENGINEERING PREMISES SAFETY ENGINEERING CONSTRUCTION SAFETY ENGINEERING HUMAN FACTORS ENGINEERING That is, a proximate cause is a producing UNSAFE ACTS VS. UNSAFE CONDITIONS cause that is reasonably foreseeable (or should be reasonably anticipated) by a person exercising Unfortunately, when discussing the causative ordinary care to discover and control such causes factors of accidents, many people cling to the before they produce accident events. traditional over-simplified labels that have divided such factors into “unsafe acts” and “unsafe There can also be a hierarchy of proximate conditions.” In balance, this dichotomy approach causes. One or more proximate causes might has proven harmful to the effective control of logically be viewed as a primary, dominant, or accidents. root proximate cause; that is, a proximate cause that necessarily sets all following causes in Many otherwise sincere individuals have motion. These root proximate causes are typically mistakenly believed or assumed that these factors created during the early stages of the system life are subject to equal control and that only one or cycle and should be the primary targets for the other of the two need be of major concern in elimination or control at that time. the prevention of accidents. Typically, such focus has been on “unsafe acts,” as the majority of FORESEEABLE VS. UNFORESEEABLE practitioners do not possess the expertise to ACCIDENTS evaluate the technical issues involved, or do not recognize with what relative ease and positive Until an adequate accident causation analysis effect unsafe conditions can be controlled. has been conducted, it is unwise to conclude that its causative factors were unforeseeable. The term “unsafe act” may also contain an Therefore, one might define the following two unwarranted implication of blame or fault (rather types of “accidents:” than a genuine lack of knowledge or training). During the investigation of accidents, such an Type I Accident inordinate focus on “unsafe acts” will typically stifle the effective control of accidents, as the A Type I Accident might be considered an investigation is typically ended when the first undesired and unforeseen event that results in an immediate cause is identified (unsurprisingly some unacceptable system loss, which could have been action or inaction on the part of the accident foreseen and prevented through the prior victim). As a result, potentially more important application of recognized principles and methods root causes related to system design are of system hazard identification, evaluation, and overlooked. control. Herein, the term “unsafe condition” is Type II Accident retained, but the term “unsafe act” is rejected as historically leading to error or incomplete cause A Type II Accident might then be defined as analysis. an undesired and unforeseen event that results in an unacceptable loss, which could not have been Rather, inappropriate human actions or foreseen and prevented through the application of inactions of persons that contribute to accidents recognized principles and methods of system (resulting from error or human nature associated hazard identification, evaluation and control. with the common relevant human factor capabilities and limitations of men and women) Obviously, Type I accident events should not are called “unsafe actions,” defined as unsafe be called “accidents” at all in the traditional sense, system use methods and procedures, without any but rather, such an event should more realistically initial implication of fault or blame. be called a “foreseeable loss event.” 2 Hazard Control: Engineering vs. Work Methods “Hazard identification” in reality can be viewed as “energy identification,” recognizing that Given the initial proposition that accidents can an unanticipated undesirable release or exchange be prevented by either controlling the design of a of energy in a system is absolutely necessary to system’s hardware, or by controlling the actions or cause an “accident” and subsequent system behavior of system operators – that is, by damage or operator injury. Therefore, an controlling the design of the product, machine, or “accident” can now be seen as “an undesired and facility (the machine or environment), or by unexpected, or at least untimely release, exchange, controlling the actions of operators or users of or action of energy, resulting, or having the such systems (the man or human factor), the potential to result in damage or injury.” This question then becomes: approach simplifies the task of hazard identification as it allows the identification of If the goal is the effective prevention of hazards by means of a finite set of search paths, accidents (personal injury), should one give initial recognizing that the common forms of energy that primary attention to the identification and control produce the vast majority of accidents can be of potential unsafe physical conditions (hazardous placed into only ten descriptive categories. system hardware components), or the identification and control of potential unsafe The goal of this first step in the hazard control actions (unsafe work methods and system use process is to prepare a list of potential hazards procedures)? (energies) in the system under study. No attempt is made at this stage to prioritize potential hazards In essence, this question is asking: Are or to determine the degree of danger associated hazardous product, machine, and facility with them – that will come later. At this first components, or the hazardous actions or behaviors stage, one is merely taking “inventory” of of people, more easily or effectively (a) identified, potential hazards (potential hazardous energies). (b) evaluated, and (c) controlled? (See Appendix A practical list of hazardous energy types to be for a discussion of this issue.) identified might include: BASICS OF SAFETY ENGINEERING Mechanical Energy Hazards STEP #1: HAZARD IDENTIFICATION Mechanical energy hazards involve system The first step in safety engineering is “hazard hardware components that cut, crush, bend, shear, identification.” A hazard is anything that has the pinch, wrap, pull, and puncture. Such hazards are potential to cause harm when combined with some associated with components that move in circular, initiating stimulus. transverse (single direction), or reciprocating (“back and forth”) motion. Traditionally, such Many system safety techniques have been hazards found in typical industrial machinery have pioneered to aid in the identification of potential been associated with